AC.L2-3.1.22 · NIST SP 800-171 3.1.22

Control Public Information

Control CUI posted or processed on publicly accessible systems.

1 point if not metMust be fully met, cannot POA&M5 assessment objectives

What an assessor scores, the objectives

AC.L2-3.1.22 is met only when every one of these 5 objectives, from NIST SP 800-171A, is satisfied. A single missed objective makes the whole requirement not met.

  • a.individuals authorized to post or process information on publicly accessible systems are identified
  • b.procedures to ensure CUI is not posted or processed on publicly accessible systems are identified
  • c.a review process is in place prior to posting of any content to publicly accessible systems
  • d.content on publicly accessible systems is reviewed to ensure that it does not include CUI
  • e.mechanisms are in place to remove and address improper posting of CUI

How a C3PAO checks it

NIST SP 800-171A defines three assessment methods. For AC.L2-3.1.22, an assessor uses these:

Examine

Access control policy; procedures addressing publicly accessible content; system security plan; list of users authorized to post publicly accessible content on organizational systems; training materials and/or records; records of publicly accessible information reviews; records of response to nonpublic information on public websites; system audit logs and records; security awareness training records; other relevant documents or records

Interview

Personnel with responsibilities for managing publicly accessible information posted on organizational systems; personnel with information securit y responsibilities

Test

Mechanisms implementing management of publicly accessible content

What it means, in context

In accordance with laws, Executive Orders, directives, policies, regulations, or standards, the public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act, CUI, and proprietary information). This requirement addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Individuals authorized to post CUI onto publicly accessible systems are designated . The content of information is reviewed prior to posting onto publicly accessible systems to ensure that nonpublic information is not included.

Only government officials can be authorized to release CUI to the public. Do not allow CUI to become public – always safeguard the confidentiality of CUI by controlling the posting of CUI on company -controlled websites or public forums, and the exposure of CUI in public presentations or on public displays. It i s important to know which users are allowed to publish information on publicly accessible systems, like your company website , and implement a review process before posting such information. If CUI is discovered on a publicly accessible system, procedures should be in place to remove that information and alert the appropriate parties. Example Your company decides to start issuing press releases about its projects in an effort to reach more potential customers . Your company receives CUI from the government as part of its DoD contract. Because you recognize the need to manage c ontrolled information, including CUI, you meet with the employees who write the releases and post information to establish a review process [c]. It is decided that you will review press releases for CUI before posting it on the company website [ a,d]. Only certain employees will be authorized to post to the website [a]. Potential Assessment Considerations • Does information on externally facing systems (i.e., publicly accessible) have a documented approval chain for public release [c]?

What passing evidence looks like

The named reviewers who may approve public posts, the pre post review procedure, and a record of at least one review cycle of your public sites. This requirement can never sit on a POA&M.

Common ways contractors fail AC.L2-3.1.22

  • !Cannot be deferred: POA&M blocked, it must be MET on assessment day.
  • !Your website, LinkedIn, and proposals are all publicly accessible surfaces. The procedure must cover all of them, and someone must actually check periodically, objective [e] wants review and removal to happen.

The step by step walkthrough for Microsoft 365 GCC High, Google Workspace, and on premises setups, plus the exact evidence to capture, lives inside the Level 2 Accelerator.

Prove AC.L2-3.1.22, and the other 109

The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.

No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.

AC.L2-3.1.22 questions, answered

How many points is CMMC requirement AC.L2-3.1.22 worth?+

AC.L2-3.1.22 is worth 1 point in the CMMC Level 2 score under 32 CFR 170.24. If it is not met, you lose 1 from your total of 110.

Can AC.L2-3.1.22 be placed on a POA&M?+

No. AC.L2-3.1.22 must be fully met before you can file. It cannot be deferred to a POA&M, so it is a gate on your assessment.

What family does AC.L2-3.1.22 belong to?+

AC.L2-3.1.22 is in the Access Control (AC) family, one of the 14 families of NIST SP 800-171 that make up CMMC Level 2.

Key references
  • NIST SP 800-171 Rev. 2 3.1.22
  • FAR Clause 52.204-21 b.1.iv